lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 20 Jun 2015 20:53:53 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org, Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH net] netfilter: nf_queue: Don't recompute the hook_list
 head

On Sat, Jun 20, 2015 at 09:08:20AM -0500, Eric W. Biederman wrote:
> Pablo Neira Ayuso <pablo@...filter.org> writes:
> 
> > On Fri, Jun 19, 2015 at 05:23:37PM -0500, Eric W. Biederman wrote:
> >> 
> >> If someone sends packets from one of the netdevice ingress hooks to
> >> the a userspace queue, and then userspace later accepts the packet,
> >> the netfilter code can enter an infinite loop as the list head will
> >> never be found.
> >> 
> >> Pass in the saved list_head to avoid this.
> >
> > There is no userspace queueing for netdevice yet, so this can be route
> > through nf-next. Thanks.
> 
> *scratches head* the netdevice queueing is in the netfilter core.
> 
> netfilter_ingress calls nf_hook_slow.  The queuing happens in
> nf_hook_slow if anything returns the verdict queue it.
> 
> This patch applies to Linus's tree.
> 
> So how in the world does this not need to be ported to 4.1?

There is no nfnetlink_queue support for the netdev family at this
moment, so this can't be triggered unless you use an out of tree
module.

I have a patch here to add a static key to disable userspace queueing
per family using a static key so that part would be basically
inactive.

But if you really want to see this in 4.1, no problem, please just let
me know and I'll pass it to David, as I said it's basically not
resolving any urgent problem so this is not harming.

Thank you.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ